esa navisp element 1 system suitability study for train

Reference: NAVISP1-ESR-NSL-EL1003-022 Issue: 1.2 Date: 13/01/2021

STEMS Executive Summary Report v1.2 13/01/2021 of 24

ESA NAVISP Element 1

System Suitability Study for Train Positioning using

GNSS in the European Rail Traffic Management System (STEMS)

Executive Summary Report Name – Responsibility Date Signature

Prepared by Madeleine McCreadie Michael Hutchinson

21/08/2020

Checked by Michael Hutchinson 21/08/2020

Authorised by Mark Dumville 21/08/2020

Total Pages: 24

Document Classification: Public

EUROPEAN SPACE AGENCY CONTRACT REPORT

The work described in this document was done under ESA Contract. Responsibility for the contents reside in

the author or organisation that prepared it



Change Record Issue / Rev.

Date §: Change Record Authors

V1.0 29/07/2020 The first version of the STEMS Final Report delivered to ESA

Madeleine McCreadie Michael Hutchinson

V1.1 21/08/2020 Modifications to address ESA RIDS Madeleine McCreadie Michael Hutchinson

V1.2 13/01/2021 Version for public release



Table of Contents

1 INTRODUCTION ................................................................................................... 5

1.1 Purpose of Document .................................................................................................. 5

1.2 Contents of Document ................................................................................................ 5

1.3 References .................................................................................................................... 5 1.3.1 Applicable Documents ............................................................................................. 5 1.3.2 Reference Documents ............................................................................................. 6

1.4 Acronyms ..................................................................................................................... 8

2 STEMS PROJECT OVERVIEW .......................................................................... 10

2.1 Project Objectives ...................................................................................................... 10

2.2 STEMS Project Partners and their Roles ................................................................. 10 2.2.1 Nottingham Scientific Limited (NSL) (Lead Contractor) ........................................ 10 2.2.2 TUV Rheinland ...................................................................................................... 10 2.2.3 GMV ...................................................................................................................... 10 2.2.4 Telespazio Vega UK (TVUK) ................................................................................. 11 2.2.5 University of Pardubice (UPA) ............................................................................... 11

2.3 Work Breakdown Logic ............................................................................................. 12

3 STEMS PROJECT OVERVIEW .......................................................................... 13

3.1 WP1000: Review and Consolidation of Requirements and Assumptions for Virtual Balise Detection in ERTMS using GNSS ............................................................... 13

3.2 WP2000: SBAS Suitability Analysis for use in ERTMS .......................................... 14

3.3 WP3000: Analysis of the suitability of SBAS for Cross-Acceptance by Railway Safety Authorities ................................................................................................................ 20

4 CONCLUSIONS .................................................................................................. 23

4.1 Project Outcomes ...................................................................................................... 23

4.2 Future Work ................................................................................................................ 23



List of Tables

Table 1-1: List of Applicable Documents .................................................................................. 5 Table 1-2: List of Reference Documents .................................................................................. 8 Table 1-3: Acronyms ................................................................................................................. 9 Table 3-1: Gaps related to Onboard GNSS Receiver .............................................................. 18 Table 3-2: Recommendations on how identified SBAS Receiver Gaps can be addressed ..... 20



1 INTRODUCTION

1.1 Purpose of Document This document is the executive summary report for the System Suitability Study for Train Positioning using GNSS in the European Rail Traffic Management System (STEMS) project (Contract No 4000123992/18/NSL/DB). This document is delivered as part of Work Package 0. This document provides an overview of the project, the key project results and findings and the conclusions including what has been determined and how the approach is to be carried forward. This project was carried out as part of the ESA NAVISP programme under Element 1 (Innovation in Satellite Navigation). The main goal is to generate innovative concepts, techniques, technologies and systems linked to the PNT sector, along the entire value chain. The highly dynamic PNT environment GNSS components shall not be considered in isolation but in combination with other PNT technologies to enable the emergence of attractive solutions. 1.2 Contents of Document The content and structure of this document is as follows:

• Section 1 (current section) describes the purpose of the document and lists applicable and reference documents.

• Section 2 provides an overview of the STEMS project; this includes the project’s objectives and contractors involved in the project.

• Section 3 describes the work completed within the study within the three Work Packages throughout the duration of the project.

• Section 4 provides the conclusion to the project including the project’s main outcomes and way forward.

1.3 References 1.3.1 Applicable Documents The following documents, of the exact issue shown, form part of this document to the extent specified herein. Applicable documents are those referenced in the Contract or approved by the Approval Authority. They are referenced in this document in the form [AD X]:

Reference Title Code/ Origin Version Date

AD 1. Appendix 1 to ESA Contract 4000123992/18/NL/DB, Statement of Work ref

NAVISP1-SOW-ESA-003-00001 1.2 01/12/2017

AD 2. STEMS Technical, Management, Financial and Contractual Proposal

STPERTMS_9053_PRP_NSL 1.0 01/03/2018

AD 3.

ESA Contract 4000123992/18/NL/DB NAVISP-EL1-003 System Suitability Study for Train Positioning Using GNSS in ERTMS in 2020

ESA Contract 4000123992/18/

NL/DB 1.0 July 2018

Table 1-1: List of Applicable Documents



1.3.2 Reference Documents The following documents, although not part of this document, amplify or clarify its contents. Reference documents are those not applicable and referenced within this document. They are referenced in this document in the form [RD X]:


RD 1.

System Suitability Study for Train Positioning using GNSS in the European Rail Traffic Management System (STEMS)

D101: Technical Note on Requirements and Assumptions for Virtual Balise Detection in ERTMS using GNSS

NAVISP1-TN-NSL-EL1003-

001 1.3 07/02/2019

RD 2.


D201: SBAS for ERTMS Suitability Analysis File


007 2.0 14/05/2020

RD 3.


D301: Suitability Assessment of SBAS for Cross-Acceptance in Rail


017 1.1 27/07/2020

RD 4. EGNOS Safety of Life Service Definition Document

EGNOS-SoL-SDD 3.3 26/03/2019

RD 5.

Annexe 10 (Aeronautical Telecommunications) to the Convention on International Civil Aviation, Volume I – Radio Navigation Aids, International Standards and Recommended Practises (SARPS)

ICAO Doc. AN10-1 7th edition July 2016

RD 6.

Working Paper

Certification of EGNOS for Interoperable Railway Control-Command and Signalling Subsystems

WP-2018001 Issue 1

Revision 0

15/06/2018

RD 7.

Working Paper, Preliminary Study on the Use and Certification of EGNOS in Interoperable Railway Control-Command and Signalling Subsystems

WP201912/01 - 09/12/2019

RD 8. Next Generation of Train Control Systems

D7.7 Results of the Safety Analysis

NGTC-WP7-D7.7-000-

DAP-SafetyAnalysi

s

02 12/12/2016




RD 9.

Next Generation of Train Control Systems

D7.7 Results of the Safety Analysis – Appendix A

Positioning System Performance Parameters

NGTC-WP7-D7.7-00A-

ESA 05 12/12/2016

RD 10.


D7.7 Results of the Safety Analysis – Appendix B

Main Factors that can Affect the GNSS Signal

NGTC-WP7-D7.7-00B-

DAP 01 12/12/2016

RD 11.


D7.7 Results of the Safety Analysis – Appendix C

Principles, Procedures and Positioning System Performance Requirements

NGTC-WP7-D7.7-00C-

ESA 09 12/12/2016

RD 12.


D7.7 Results of the Safety Analysis – Appendix D

Safety Analysis of the Reference Case Studies for the NGTC Project

NGTC-WP7-D7.7-00D-

DAP 01 12/12/2016

RD 13.


D7.7 Results of the Safety Analysis – Appendix E

Safety Analysis Part 1 – Preliminary Functional Analysis

NGTC-WP7-D7.7-00E-

ESA 06 12/12/2016

RD 14.


D7.7 Results of the Safety Analysis – Appendix F

Safety Analysis Part 2 – Preliminary Assessment of the Virtual Balise Subsystem for THR Apportionment

NGTC-WP7-D7.7-00F-

ESA 08 12/12/2016

RD 15.


D7.7 Results of the Safety Analysis – Appendix G

Considerations on GNSS Integrity Service Provision

NGTC-WP7-D7.7-00G-

DAP 01 12/12/2016

RD 16.

EGNSS Target Performances to meet Railway Safety Requirements

Satellite Technology for Advanced Railway Signalling (STARS), D5.3

STR-WP5-D-ANS-034-06

Version 07 30/04/2017




RD 17.

Safety Analysis of ERSAT ERTMS Application over GNSS ERTMS on SATELLITE Galileo Game Changer, Deliverable D3.1

- Revision 02 20/09/2018

RD 18.

GNSS Quantitative Analysis for ERSAT GGC Project ERTMS on SATELLITE Galileo Game Changer, Deliverable D3.2

- Revision 02 29/10/2018

RD 19. UNISISG – “SUBSET-091 Safety Requirements for the Technical Interoperability of ETCS in Levels 1&2”

SUBSET-091 Issue 3.6.0 12/05/2016

RD 20. UNISIG, “SUBSET-088 ETCS Application Levels 1 & 2 - Safety Analysis”

SUBSET-088 3.6.0 20/06/2016

RD 21.

A preliminary Apportionment of Safety Targets for Virtual Balise Detection using GNSS in Future Evolutions of ERTMS, Wullems C., Sperandio F., Basso M., Sturaro S., Sabina S.

- - 17/10/2018

RD 22.

Minimum Operational Performance Standards for Global Positioning System/Satellite-Based Augmentation System Airborne Equipment.

RTCA SC-159 DO-229E - 15/12/2016

RD 23.

Minimum Operational Performance Standard for Galileo / Global Positioning System / Satellite-Based Augmentation System Airborne Equipment

EUROCAE, ED-259

0.9 -

RD 24. Minimum Operational Performance Standards for GPS Local Area Augmentation System Airborne Equipment.

RTCA SC-159 DO-229E

E 15/12/2016

RD 25.

GNSS Pseudorange Smoothing: Linear vs Non-Linear Filtering Paradigm K. Mazher, M. Tahir, K. Ali

- - 2016

Table 1-2: List of Reference Documents

1.4 Acronyms The following acronyms are used in the document and have been identified as necessary to be described:

Acronym Definition ATP Along Track Position ATPE Along Track Position Error



Acronym Definition ATPL Along Track Protection Level CTPL Cross Track Protection Level EGNOS European Geostationary Navigation Overlay Service ERTMS European Rail Traffic Management System ETCS European Train Control System EU European Union ESA European Space Agency GEO Geostationary (satellites) GNSS Global Navigation Satellite System GPS Global Positioning System GSM-R Global System for Mobile Communications - Railway HAL Horizontal Alert Limit HPE Horizontal Position Error HPL Horizontal Protection Level IGP Ionospheric Grid Points LDS Location Determination System LRBG Last Relevant Balise Group MA Movement Authority MDE Minimum Detectable Error MOPS Minimum Operational Performance Standards NGTC Next Generation Train Control NSL Nottingham Scientific Ltd PNT Position, Navigation and Timing RAM Reliability, Availability and Maintenance RBC Radio Block Centre SARPS Standards and Recommended Practices SBAS Satellite-Based Augmentation System SIS Signal-In-Space THR Tolerable Hazard Rate TTA Time To Alert VAL Vertical Alert Limit VPE Vertical Position Error VPL Vertical Protection Level VBDACC Virtual Balise Detection Accuracy WAAS Wide Area Augmentation System

Table 1-3: Acronyms



2 STEMS PROJECT OVERVIEW

2.1 Project Objectives The objective is to study the suitability of the current generation of SBAS for use in the evolution of the European Rail Traffic Management System (ERTMS) with virtual balise detection using GNSS, confirming the feasibility of current system allocations. This project is a necessary enabler on the system side for GNSS to be used in Safety of Life applications in the railway environment. It is expected that the project will enable the development of innovative downstream applications such as virtual balise detection in ERTMS, leveraging existing investments in SBAS to further improve the value proposition of these applications. The objectives of the STEMS project are to:

• Review and consolidate requirements and assumptions on virtual balise detection in ERTMS using GNSS.

• Study the suitability of the current generation of SBAS for use in the evolution of the European Traffic Management System (ERTMS) with virtual balise detection using GNSS, confirming the feasibility of current SBAS system allocations.

• Assess the suitability of SBAS for cross-acceptance by railway safety authorities, to be performed by an accredited railway independent safety assessor; and propose a methodology for building a suitable safety case for SBAS for use by the railway community in the ERTMS virtual balise application.

2.2 STEMS Project Partners and their Roles 2.2.1 Nottingham Scientific Limited (NSL) (Lead Contractor) NSL based in Nottingham, UK, is a dynamic SME with a high-calibre workforce who pride themselves on being at the forefront of technology development within the UK and EU space industry. We specialise in satellite navigation, in particular, the development of robust, reliable and cost-effective Global Navigation Satellite Systems (GNSS) applications and technology which enable organisations and individuals to maximise the benefits of high-accuracy navigation and positioning. Through our products and services, we contribute to improving the safety of citizens, national security strategies and the way business is conducted. 2.2.2 TUV Rheinland TÜV Rheinland is one of the world leaders in Independent Certification and Assessment, including NOBO/DEBO/AssBO services within the EU as well as Independent Assessment services worldwide as well as in Systems Assurance and RAMS consultancy, having undertaken hundreds of projects and studies throughout the US, Europe, Middle East and the Asia Pacific. TUV Rheinland UK is accredited as a Notified Body by UKAS under the 2008/57/EC Interoperability Directive for rail systems and has been active in the European market for over 30 years. TUV Rheinland is accredited against all of the Technical Specifications for Interoperability including Control, Command & Signalling (CCS TSI) applicable to WP3000. 2.2.3 GMV GMV Innovating Solutions S.R.L. is a Romanian company founded in 2011 with the overall mandate of targeting Aerospace, Defence, Transportation and Telecommunications markets



of/from Romania. GMV was present on the local market since 2009 and was very active in the first years in the area of Transportation. In the last years, the company prepared thoroughly for the Space market and built up expertise and a very ambitious local team. GMV built up an excellent relationship with local governmental, industrial and educational actors and regular contacts are maintained with ROSA, the Delegations and with ESA, in order to ensure the coherence between the strategy of GMV Romania and the interests of Romania. The GMV group is continuously investing in GMV Romania and one of the ways such investment is seen is through the knowledge and expertise transfer which is put into place whenever it is needed to approach a new technical challenge. Therefore, it is easy to relate to GMV Romania’s experience in the GNSS market to the experience and expertise provided by the GMV group. 2.2.4 Telespazio Vega UK (TVUK) Telespazio VEGA UK Ltd (TVUK) is a highly experienced consulting, technology and engineering services business, which supports satellite operators and manufacturers worldwide and helps other organisations benefit from space data and services. Based in the UK, it is a wholly owned subsidiary of Telespazio S.p.A, with its own management structures and reporting. VEGA was founded on a European spacecraft operations contract between the UK and Germany in 1978, a contract that we have held continuously to this day. Now part of the Telespazio Group, Telespazio VEGA UK Ltd provides expertise in the areas of:

• Satellite Systems and Applications (Ground Segment, Consulting and Engineering Services, User Services and Applications, Earth Observation)

• Geo Information & Navigation • Network and Connectivity

2.2.5 University of Pardubice (UPA) The University of Pardubice (UPA) has been extending a sixty-year long tradition of higher education in the city of Pardubice – see www.upce.cz. Currently, the university has more than 10 000 students and about 1 200 academic staff. Research and development in the field of GNSS for transport systems has been conducting at the Jan Perner Transport Faculty and at the Faculty of Electrical Eng. and Informatics in cooperation with Czech Railways since 1998. The GNSS related activities started within the European DG-XIII’s (4th Framework) project APOLO (Advanced Train Position Locator, 1998-2001) led by Thales Navigation with the aim to use the EGNOS Test Bed (ESTB) for railway signalling. The ESTB was tested on Czech trains in cooperation with the ESA / CNES from in Eastern Bohemia in 2001. ESA reported about these tests in its ESTB News in Sept. 2002. Then in next 15 years, the research at the UPA in the field of GPS/EGNOS/Galileo for transport was carried out in the form of several R&D projects supported by Czech National Science Foundation (GA CR), Czech Ministry of Transport and ESA. Most of these activities were conducted under the collaboration with Czech Railways, Railway Infrastructure Administration of Czech Republic (Laboratory of Intelligent Systems), Railway Research Institute (VUZ), which is NoBo for ERTMS/ ETCS - such as projects ESA 3InSat (2012-2015), Certification of the Satellite Navigation System Galileo for Railway Telematic Applications (2007-2010), GNSS Local Elements for Railway Signalling (2006-2008), Architecture of Train Position Locator for Safety-Critical Applications (2003-2005). In the period 2016-2017, the UPA was involved in the EU-US H2020 RHINOS project and contributing to the requirements for ETCS virtual balise specification, safety analyses related



to use of EGNOS within ERTMS/ETCS and certification process of EGNOS into ERTMS integration. The University of Pardubice organised 2 days RHINOS workshop at GSA facilities in Prague in 2017 with the participation of European railway and GNSS stakeholders including Stanford University. 2.3 Work Breakdown Logic



3 STEMS PROJECT OVERVIEW

An overview of the work carried out in each of the three work packages is provided below. It is of note that STEMS has built on a working paper authored by ESA and GSA [RD 6] [RD 7]. 3.1 WP1000: Review and Consolidation of Requirements and Assumptions

for Virtual Balise Detection in ERTMS using GNSS Within WP1000, the technical requirements and assumptions for Virtual Balise Detection using GNSS were identified utilising identified reference documentation. An overview of the virtual balise concept was firstly given, including definitions of relevant terminology, architecture, relevant scenarios and operations, and performance parameters. Baseline assumptions to be applied within the project were stated as follows, some being derived during the Industry Stakeholder Workshop held on 24th October 2018:

• The study was based on SBAS ‘as-is’, i.e. currently operational SBAS which provides an augmentation of GPS L1 only.

o This includes the EGNOS Safety of Life (SoL) service provided by EGNOS V2 and a future EGNOS V3.

o Multi-frequency, multi-constellation SBAS is outside of the scope of this work. o No SBAS system-level modifications were to be proposed or considered.

• The study considered SBAS provision of integrity in the range-domain, rather than the

position domain.

• The study considered a system function which retrieves SBAS messages at the Trackside and distributes them to the Onboard. For consistency in the study, this will be referred to as the GNSS Augmentation Distribution Function (GADF).

o No fixed assumptions were made regarding the data processing functionality of GADF; however, the study made recommendations on this subject.

o GADF will retrieve SBAS messages from the Signal-In-Space (SIS) using Trackside receiver(s). Alternative services such as the EGNOS Data Access Service (EDAS) were not considered since they do not currently provide any safety commitments. It is acknowledged that this may change in the future.

o No fixed assumptions were made regarding the communications system used to distribute augmentation data from Trackside to the Onboard, however, the study made recommendations on this subject.

o Regarding possible strategies to manage Time To alert (TTA), the study did not impose any latency constraints on the communications system used to distribute augmentation data from Trackside to the Onboard.

• The study was based on Virtual Balise Detection using GNSS for ERTMS and its requirements. However, it is acknowledged that requirements involving the use of GNSS for ERTMS will evolve. This could involve enhancements to odometry and developments to odometry interface within an appropriate framework.



• Local effects and local feared events were assumed to be handled by the Onboard and were outside of the scope of the study.

• It was assumed that track discrimination is not possible with GNSS in ERTMS and must be handled by an alternative method(s).

Requirements for Virtual Balise were then consolidated from available references. Requirements were categorised as follows:

• Performance o Integrity o Other performance requirements

• Other requirements o Functions

§ Virtual Balise Reader § GNSS Augmentation Dissemination Function § Position Verification Function

o Interfaces 3.2 WP2000: SBAS Suitability Analysis for use in ERTMS Within WP2000, the following aspects were analysed taking into consideration SBAS use within ERTMS:

• The SBAS usage concept. • SBAS performance, safety assurance and risk assessment. • SBAS assumptions on the GNSS receiver and implications for ERTMS application. • SBAS time to alert performance. • The identification of gaps and issues. • Recommendations on how the identified gaps and issues can be addressed. • The identification of potential impacts on current SBAS systems. • Achievable safety.

The work began by defining a usage concept for SBAS in ERTMS, based on the assumptions from WP1000 and other activities taking place in parallel to STEMS. The following hypotheses were made:

• As per the baseline assumptions described above, the SBAS integrity concept for the railway was based on the provision of integrity in the range-domain, rather than the position domain. In this case, there would be no commitments from SBAS in the position domain.

• !!"# and !$%&' values (associated with UDRE and GIVE respectively) would be applied as inputs to railway-specific protection levels.

• The user would be able to assume that pseudoranges for satellites monitored by SBAS are fault-free from system-level feared events (i.e. those originating from the GNSS space segment and ground segment) and ionosphere feared events, up to the target level of integrity.

• The fast corrections, slow corrections and ionospheric model would be used to improve accuracy.



A high-level and simplified functional architecture based on the work undertaken in the Shift2Rail programme X2Rail-2 project was considered for Virtual Balise Detection in ERTMS using GNSS.

It is also acknowledged that other parallel work e.g. Tech4Rail envisages the use of GNSS not only for Virtual Balise Detection but also for other ERTMS applications such as enhanced odometry. The simplified functional architecture was also applicable to the case of enhanced odometry.

Analyses of SBAS performance, risk assessment and safety assurance aspects were then performed. SBAS performance analysis reviewed how performance is currently defined in the position domain and certified for aviation applications, and how it could potentially be translated to the range domain in support of SBAS cross-certification for the rail domain. Much of this involved reviewing the EGNOS SoL Service Definition Document [RD 4] and ICAO SARPS [RD 5].

Risk assessment involved reviewing work carried out in the following projects/studies:

• Next Generation Train Control (NGTC) [RD 8] to [RD 15] • STARS [RD 16] • ERSAT-GGC [RD 17], [RD 18]

According to SUBSET-091 [RD 19], the maximum allowed rate of occurrence of the ETCS Core Hazard is 2.0e-09 / h; i.e. 1.0e-09 / h for ETCS onboard installed on a train and 1.0e-09 / h for ETCS trackside installed in an area visited by a train during a reference mission.

NGTC, STARS and ERSAT GGC follow a uniform apportionment of the 2.0e-09 THR, allocating 0.67e-09 to each grouping of constituents:

• On-board functions (trusted parts) • Trackside functions (trusted parts) • Transmission functions (un-trusted parts)

Within the scope of transmission functions are balise sub-system hazards, which can be divided according to SUBSET-088 [RD 20] into:

• TRANS-BALISE-1 – Incorrect balise group message received by onboard Kernel functions as consistent (Corruption)

• TRANS-BALISE-2 – Balise group not detected by onboard Kernel functions (Deletion) • TRANS-BALISE-3 – Inserted balise group message received by onboard Kernel

functions as consistent (Insertion / Cross talk)

Possible allocations to these hazards in the case of the virtual balise transmission system are reviewed in D201 (and D202). An independent GNSS diagnostic function has been proposed in previous projects to cover the gap between the target THR for TRANS-BALISE-3 and the integrity risk sources not related to the train, which includes GNSS. Analysis of safety assurance found that the Common Safety Method for Risk Evaluation (CSM-RA) and Assessment is relevant to the Virtual Balise concept. Safety assurance was further analysed in WP3000.



SBAS assumptions on the GNSS receiver were analysed, by reviewing the ICAO SARPS [RD 5] and the legacy Minimum Operational Performance Standards (MOPS) i.e. DO-229E [RD 22]. Those receiver requirements that apply to the SBAS integrity concept for the railway were identified along with any issues/gaps. These requirements would form the basis of an equivalent standard for the railway which may be referred to as ‘railway GNSS receiver guidelines’. The identified gaps are given in Table 3-1, with corresponding recommendations in Table 3-2.



Gap Identifier

DO-229E Reference Section

Applicable Section of D201

Requirement Summary Gap Description

GAP-REC-001

2.1.1.4.9 Message Timeout Periods

5.2.2.1.1.4 Upon the expiration of the timeout period corresponding to a data item, that data should no longer be used. Data items for which the timeout period has not expired should continue to be used until replaced. For the fast corrections, the timeout intervals should be calculated based on the fast correction degradation data from MT7. Timeouts for other data are defined in a lookup table given in this section of the MOPS (DO-229E).

For LNAV/VNAV, LP, LPV when no valid SBAS message has been received for 4 seconds due to a probable communications link issue, all UDREI data from that SBAS satellite shall timeout. While being directly applicable to the GADF, this requirement also needs to be considered from the point of view of the Onboard receiver with respect to the communications link between the Trackside and Onboard. Timing out of UDREI data shall result in a loss of availability of SBAS integrity.

GAP- REC-002

2.1.1.4.9 Message Timeout Periods

5.2.2.1.1.4 The applicable timeout interval for UDREI terms is 12 seconds and that for fast corrections can also be this low (corresponding to the highest degradation factor). This represents a potential issue for the SBAS Integrity Concept for Rail in case the total TTA for rail (SBAS TTA + ‘Train TTA’) is 12s or greater since this data would timeout before it is possible to use it. The implications of this depend on the approach taken by the Onboard receiver to the management of the TTA, but in any scenario, it must be ensured that the fast corrections and UDREI applied have not timed-out. Timeouts are further discussed in GAP-TTA-005.

GAP- REC-003

2.1.4.1.1 Smoothing

5.2.2.1.4.1 The equipment shall perform carrier smoothing that must meet a minimum level of performance (error less than 0.25m within 200 seconds after initialisation), conditional on a maximum level of code-carrier divergence (0.018m/s). An example of an acceptable smoothing filter is provided, based on a fixed time constant of 100 seconds.

The requirement for carrier-smoothing of code measurements represents a challenge in the railway environment due to frequent signal obstructions which block signals and induce non-line-of-sight (NLOS) conditions in carrier phase measurements. A railway receiver smoothing filter may need to use a lower time constant or a time-variant approach to be effective.

GAP- REC-004

2.1.4.1.1 Smoothing

5.2.2.1.4.1 The potential use of a different smoothing filter may impact on the validity of the broadcast error bounds !!"#$ and !%&'$, which are computed based on the assumption of a MOPS-compliant filter being applied by the user receiver, taking into account potential maximum bias due to divergence in the presence of the worst-case ionospheric gradient for such a filter. This is a critical point to take into account for



Gap Identifier

DO-229E Reference Section

Applicable Section of D201

Requirement Summary Gap Description

the SBAS Integrity Concept for Rail, which is based on those bounds, to be valid.

GAP- REC-005

2.1.4.1.1 Smoothing

5.2.2.1.4.1 The definition of TTA assumes a MOPS-compliant user receiver. The use of a different smoothing filter may affect the point in time at which, given the presence of a feared event on satellite X, the pseudorange of satellite X is affected by the feared event, and therefore the TTA that is actually experienced by the user. This may represent a safety issue in the event that the (smoothed) pseudorange of satellite X is affected by the feared event at a moment in time that is earlier than that at which the corresponding pseudorange is affected at any SBAS reference station (thus potentially meaning that the TTA that is experienced by the user is greater than the requirement).

GAP- REC-006

2.1.1.6 Satellite Selection

5.2.2.1.1.6 Describes the process for selection and monitoring of GEO PRN, as well as the selection of GPS satellites for processing based on “health” designations.

Any GPS satellite that is designated GPS UNHEALTHY shall be excluded from processing unless it is overridden by an SBAS HEALTHY designation. This overriding is applicable in all events unless the GPS UNHEALTHY designation is due to failure of parity on five successive words or “due to default navigation data shall not be used”. The way in which this is handled depends on whether a trackside navigation message distribution function is included in the system architecture.

Table 3-1: Gaps related to Onboard GNSS Receiver



Gap Identifier

Recommendations

GAP- REC-001

The communications link between the Trackside and Onboard is yet to be agreed in the railway community. Robustness of the link is paramount to enabling the SBAS Integrity Concept for Rail.

GAP- REC-002

The communications link between the Trackside and Onboard is yet to be agreed in the railway community. It should be selected so as to enable the ‘Train TTA’ [RD 6] (the additional time incurred by the use of Trackside GADF with relay to the Onboard) to be below 6 seconds, taking into account that GADF processing and VBR processing will contribute to the Train TTA.

GAP- REC-003

As raised during previous sections of this document, it is expected that the use of GNSS in ERTMS will require the use of a smoothing filter with a time constant that is different (lower and/or time-varying) with respect to that recommended in DO-229E [RD 22].

The smoothing filter presented in the LAAS MOPS DO-253B [RD 24] is identical to that presented in the WAAS MOPS, repeated in Section 5.2.2.1.4.1 of D201 (and D202), with the exception of the term α, which is defined as follows:

• After 100 seconds has elapsed since filter start-up, α shall be equal to the sample interval in seconds divided by the time constant of 100 seconds.

• In the first 100 seconds since filter start-up, α shall be equal to the sample interval in seconds divided by either 100 seconds or the time in seconds since the filter start-up.

So, this allows for a difference in implementation during the first 100 seconds since filter start-up in terms of the time constant applied. This option means that initially all of the weight is applied to the unsmoothed current code measurement. This weight then starts to decrease as of the second epoch, and correspondingly the weight is given to the differenced carrier measurement term then increases at each epoch, up until 100 seconds is reached. This represents a possible option for railway use of SBAS, subject to system-level evaluation.

Some alternatives to the standard Hatch filter are evaluated in [RD 25].

The choice of an appropriate filter for use in the railway domain will be subject to advancements in carrier phase tracking in the railway environment, and the achievement of a better understanding of the extent to which carrier phase tracking can be continuously performed (without cycle slips).

For an alternative filter to be accepted it must be compatible with existing safety commitments and must meet a minimum level of performance (error less than 0.25m within 200 seconds after initialisation) conditional on a maximum level of code-carrier divergence (0.018m/s). It may be the case that no such filter exists, in which case the only option is to lower the time constant with the standard Hatch filter or to improve carrier phase tracking in the railway environment such that the standard Hatch filter may be used with a time constant of 100 seconds.

GAP- REC-004

This is linked to GAP-RX-003. In order to ensure the validity of !!"#$ and !%&'$, the selected smoothing filter must be compatible with existing safety commitments and must meet a



Gap Identifier

Recommendations

minimum level of performance (error less than 0.25m within 200 seconds after initialisation) conditional on a maximum level of code-carrier divergence (0.018m/s).

GAP- REC-005

The analysis is required into the impact of the standardised Onboard receiver smoothing filter on the point in time at which, in the presence of a feared event on satellite X, the pseudorange of satellite X is affected.

GAP- REC-006

Regardless of whether a trackside navigation message distribution function is included in the system architecture, it is recommended that the Onboard receiver decodes the GPS navigation data in order to check parity and enable it to process “health” designations in accordance with DO-229E.

If a trackside navigation message distribution function is included in the system architecture, then it is assumed that this would decode the GPS navigation data from the signal-in-space, before distributing to the Onboard. In this scenario, it would need to provide sufficient information to the Onboard in order for it to be able to process “health” designations in accordance with DO-229E.

Table 3-2: Recommendations on how identified SBAS Receiver Gaps can be addressed

WP2000 also included analysis of the SBAS Time To Alert (TTA) and methods to handle it for application in ERTMS. The criticality of the TTA budget and its impact on safety in the context of Virtual Balise Detection depends on the strategy employed for managing it. A-posteriori verification of integrity and coasting from the last verified measurements are two possible strategies of TTA management (which require supervision of the TTA) previously evaluated in the frame of past activities. Coasting may be based on the use of inertial sensors (IMU), odometer or carrier phase measurements (with Relative RAIM algorithms). Railway perimeter TTA requirements are currently undefined, and so only the 6s TTA with the SBAS service perimeter was considered, taking into account that latency constraints cannot be imposed on already established communications channels e.g. EURORADIO. 3.3 WP3000: Analysis of the suitability of SBAS for Cross-Acceptance by

Railway Safety Authorities Within WP3000, the concept of cross-acceptance of EGNOS by the railway community for application in ERTMS was analysed. This involved considering a methodology for building a corresponding safety case. As a result, the feedback was provided on a number of proposal statements made in the ESA/GSA working paper “Preliminary Study on the Use and Certification of EGNOS in Interoperable Railway Control-Command and Signalling Subsystems” [RD 7]. The work began with a general overview of regulatory railway aspects, including consideration of stakeholders, the railway authorisation process and conformity assessment for modified interoperability constituents. This considers that modifications may be required to the Onboard and RBC interoperability constituents (ICs), but also that there is the possibility of new ICs being defined in the longer term. Such modifications are dependent on updating the mandatory specifications listed in Annex A of the Control, Command and Signalling Technical Specification for Interoperability (CCS TSI) and in the definition of a possible new IC. Conformity assessment of the ICs would probably be carried out by a Notified Body (NoBo),



against essential requirements included in a future TSI. The concept of suitability for use was considered (based on a proposal made in the working paper [RD 7]), concluding that this cannot be applied as it is not required by the CCS TSI. The TSI only requires compliance with the relevant basic parameters. In addition, the application of the module CV (in which the procedure of suitability for use is described, defined in Commission Decision 2010/713) is applicable for constituents for which validation is necessary by in-service experience. Further, module CB or CH1 is required to demonstrate evidence of the conformity assessment of the constituent with the design. The regulatory frameworks applicable to EGNOS in the aviation domain and the railway domain based on ERTMS technology were then analysed in order to define a practical interface between them. This included consideration of the process for cross-acceptance of EGNOS in the railway domain, implications for Infrastructure Managers and required amendments to the CCS TSI. It is proposed that it is not necessary to have an agreement between the individual IMs and the EGNOS Service Provider (ESP). Instead, this agreement would be better made with the ERA. This is supported by the new process included in the CCS TSI, where the IM has the responsibility to classify their network for the Register of the Infrastructure (RINF) and for the ERTMS System Compatibility and Radio System Compatibility (ESC/RSC). For ESC/RSC, the IM has to classify the requirements necessary for the demonstration of interoperability technical compatibility. This demonstration has to be done using the ESC/RSC parameters. Each IM has to notify the ERA of the ESC/RSC parameters. The ERA is responsible for publishing and managing the set of parameters to support ERTMS technical compatibility. Then, with this classification available, as the ERA is responsible for the ESC/RSC, it can be also responsible for defining a generic GADF based on a common trackside configuration. The definition of the ESC/RSC can be also used by the ESP for adapting their services to the needs of the individual lines where EGNOS will be used. Following on from this, an explanation was given of the current safety management and risk management process applicable to the railway, considering how safety may be justified for the use of EGNOS in this context. Finally, the process for safety demonstration and acceptance was analysed. A proposal was made for how to cross-accept the existing EGNOS SoL service (recognising that it would be adapted to create a dedicated railway service) and its safety case, based on the CSM-RA overarching process. The cross-acceptance process would also involve acceptance of the EASA (European Aviation Safety Agency) certification of the ESP as an ANSP (Air Navigation Service Provider) by ERA. This possibility will be only applicable if the “proposer” of the change is the ERA and if the risk assessment process is performed by both entities (EASA and ERA). Cross-acceptance could be achieved by considering EGNOS as a “pre-existing item” as specified in the IEC61508 and CENELEC EN50129 standards. This would mean that no additional development of the safety case according to EN50129 or IEC61508 would be required for EGNOS. The safety-related function performed by EGNOS according to §6.2 of EN50129 (2018) may be classed based on a) requirements for use of complete pre-existing systems or b) requirements for use of pre-existing equipment. The approach adopted would require approval by an independent safety assessor. It is proposed that the concept of a Safety Manual as defined in IEC61508, but not explicitly mentioned in EN50129 (2018), is used to provide the safety evidence required for a pre-existing item by EN50129. The EGNOS safety case would provide input to the Safety Manual, with any restricted information being hidden from suppliers/manufacturers (only visible to ERA). Virtual balise detection (considered as a generic application) requires a safety case, which will refer to the supporting evidence in the



form of this Safety Manual. Safety evidence supporting EGNOS integration with ERTMS developed by industry should be assessed separately.



4 CONCLUSIONS

4.1 Project Outcomes STEMS has investigated the use of EGNOS for applications of GNSS in ERTMS, considering the legacy service (EGNOS V2, V3,1) and the system as-is with an integrity concept for railway based on the provision of integrity in the pseudorange domain. The use of EGNOS in this way would allow the railway user to assume that pseudoranges for satellites monitored by SBAS are fault-free from system-level feared events (i.e. those originating from the GNSS space segment and ground segment) and ionosphere feared events, up to the target level of integrity. Mitigation of local effects and feared events would be the responsibility of the Onboard supplier. Due to its relative maturity, the focus has been on the Virtual Balise concept however consideration has also been given to other applications of GNSS in ERTMS e.g. enhanced odometry. STEMS has built on the working paper authored by ESA and GSA [RD 6] [RD 7]. The most significant outcomes of the work are:

• Review and consolidation of requirements for Virtual Balise Detection in ERTMS using GNSS.

• In-depth review of aviation MOPS i.e. DO-229E [RD 22], identifying applicable parts to the SBAS integrity concept for the railway, issues/gaps (see Table 3-1) and recommendations to address these (see Table 3-2).

• Analysis of the concept of cross-acceptance of EGNOS for use in the railway domain, considering interoperability and safety requirements and the authorisation process. A proposal has been made to consider EGNOS as a “pre-existing item” as specified in the IEC61508 and CENELEC EN50129 standards, developing a Safety Manual as defined in IEC61508 in order to provide the required safety evidence.

• Feedback has been provided on a number of proposal statements made in the ESA/GSA working paper [RD 7].

4.2 Future Work The outcomes of STEMS may be further developed in future work as follows:

• Drafting of railway receiver guidelines (for the Onboard). • Analysis of receiver requirements at Trackside/Wayside i.e. the receiver used in the

GNSS Augmentation Distribution Function. • Assessment of the suitability of EGNOS for consideration as a pre-existing system or

pre-existing equipment as defined in EN50129 (2018). • Development of full safety case. • Extension of analysis to cover the EGNOS V3.2 Dual-Frequency Multi-Constellation

(DFMC) service, including receiver assumptions/requirements based on DFMC MOPS [RD 23].

• Extension of analysis to cover a hypothetical safety-related EGNOS railway dissemination channel.

• Extension of analysis to other safety-related domains which have differences with respect to aviation in terms of operational and regulatory environments e.g. maritime, automotive.



End of Document